Table of Contents
Advertisement
service. The internal OCSP service checks certificate status by checking the internal
database of the Certificate Manager. The Online Certificate Status Manager checks
certificate status by checking CRLs provided by the Certificate Manger that it
stores in its own internal database.)
You can configure the Certificate Manager to generate and publish CRLs whenever
a certificate is revoked and at specified intervals, say every 20 minutes. Because the
purpose of setting up an OCSP responder is to facilitate real-time verification of
certificates, you should configure the Certificate Manager to generate and publish
the CRL to the Online Certificate Status Manager every time a certificate is
revoked—configuring the Certificate Manager to publish CRLs at specific intervals
would negate the very purpose for which it's being done because the CRL the
Online Certificate Status Manager would look up during verification would always
be outdated. It's important to note that if the CRL is large, the Certificate Manager
could take a considerable amount of time to publish the CRL.
As explained earlier, the Online Certificate Status Manager stores each Certificate
Manager's CRL in its internal database and uses it as the default CRL store for
verifying certificates. You can also configure the Online Certificate Status Manager
to use the CRL published to an LDAP directory by a Certificate Manager. In this
case, the Certificate Manager does not have to update the CRLs the Online
Certificate Status Manager, it updates them to the LDAP directory which the
Online Certificate Status Manager is able to read. If you do so, the Online
Certificate Status Manager uses the CRL published to the LDAP directory, instead
of the CRL in its internal database.
For step-by-step instructions to set up an OCSP-compliant PKI setup using the
Online Certificate Status Manager, see "Installing an Online Certificate Status
Manager" on page 176.
Setting Up a Certificate Manager with OCSP
Service
The Certificate Manager has a built-in OCSP service feature that can be used by
OCSP-compliant clients to do real-time verification of certificates issued by the
Certificate Manager. This section explains how to setup an OCSP-compliant PKI
setup using the Certificate Manager's OCSP-service feature.
You must have OCSP-compliant clients in order to be able to use the OCSP service.
Make sure the OCSP service for the CA is enabled.
1.
Setting Up a Certificate Manager with OCSP Service
Chapter 5
OCSP Responder
171
Advertisement
Table of Contents
